← Back to Skills Marketplace
Moodle Connector
by
Jabir Iliyas Suraj-Deen
· GitHub ↗
· v2.0.0
· MIT-0
264
Downloads
0
Stars
1
Active Installs
8
Versions
Install in OpenClaw
/install moodle-connector
Description
Moodle REST API client, batch downloader, and MCP server for Claude Code integration. SSO-enabled with support for Azure AD, Google, and SAML.
Usage Guidance
This skill appears to implement the advertised Moodle features but has several red flags you should address before using it with real credentials: 1) The registry metadata lists no required env vars but the SKILL.md and code require SSO client IDs/secrets and an encryption password — assume you must supply them. 2) Do NOT store MOODLE_CRED_PASSWORD or client secrets in plaintext config files (the README currently suggests adding them to claude_desktop_config.json); instead provide them via a secure secret store or prompt at runtime. 3) The code includes insecure defaults: mcp_server.py and batch_downloader.py use a hard-coded 'test-pass' password which will fail to decrypt real credentials and is a security risk if left in production. Change/remove hard-coded defaults. 4) config.json can hold a Moodle web_service_token in plaintext — prefer encrypted storage or environment-based injection. 5) There is at least one obvious bug: batch_downloader.py uses os.getenv but does not import os (will crash). 6) Playwright will download browser binaries at install time — review network activity and run in an isolated environment if you test. 7) The source is listed as unknown/homepage none in the registry snapshot; verify the upstream repository and author before trusting or running. Recommended actions: review the code yourself (or have a developer do so), remove hard-coded passwords, avoid putting secrets into persistent plaintext config, test in a sandbox container, and only then run with real credentials.
Capability Analysis
Type: OpenClaw Skill
Name: moodle-connector
Version: 2.0.0
The skill bundle contains a significant security vulnerability: a hardcoded default encryption password ('test-pass') is used in 'mcp_server.py' and 'batch_downloader.py' to protect the local credential store, contradicting the documentation's claim that an environment variable is required. Additionally, 'moodle_connector.py' utilizes Playwright for browser automation to scrape authentication tokens from Moodle SSO/MFA flows; while this is aligned with the stated purpose of handling enterprise authentication, browser automation and token scraping are high-risk capabilities in an AI agent context. The discrepancy between the security instructions in 'SKILL.md' and the actual implementation in 'mcp_server.py' warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The files implement a Moodle REST client, SSO flows, batch downloader, and an MCP server — which matches the skill name/description. However the registry metadata declares no required env vars or primary credential while the SKILL.md and code require SSO client secrets and an encryption password (MOODLE_CRED_PASSWORD). That mismatch is unexpected and reduces confidence in the metadata.
Instruction Scope
SKILL.md instructs installing Playwright and running browser-based SSO, storing an encryption password in claude_desktop_config.json, and putting tokens in config.json. The code will drive a browser, make network calls to Moodle and Microsoft login endpoints, save encrypted credentials to disk, and can be run as an MCP server. Instructions also recommend placing the encryption password in a config file (plaintext) — this exposes the key used to decrypt stored credentials. There are no instructions to avoid leaking that password, and the README suggests automation (Tampermonkey/CI) that could persist credentials.
Install Mechanism
There is no platform install spec in the registry (instruction-only), but package.json and SKILL.md instruct using pip and Playwright. Dependencies come from PyPI (requests, cryptography, playwright, mcp) and Playwright will fetch browser binaries. This is expected for a browser-driven SSO tool but does perform network downloads at install-time; no obscure or remote single-file download URLs were used.
Credentials
The skill legitimately needs SSO client IDs/secrets and an encryption password, and the SKILL.md documents these env vars. However the registry lists no required env vars. More importantly: (1) the code and SKILL.md encourage storing the encryption password in claude_desktop_config.json (plaintext), (2) config.json is used to store the Moodle web_service_token in plaintext, and (3) multiple places use a default/hard-coded password 'test-pass' (mcp_server.py and batch_downloader.py), which is insecure and inconsistent with SKILL.md's MOODLE_CRED_PASSWORD guidance. These practices increase the risk of credential exposure.
Persistence & Privilege
The skill is not force-included (always:false) and does not request system-wide privileges. The MCP server runs over stdio and does not modify other skills' configurations. Autonomous invocation (disable-model-invocation:false) is the platform default and is not by itself flagged. The main concern is user-provided configuration that may persist secrets.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install moodle-connector - After installation, invoke the skill by name or use
/moodle-connector - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.0
Major update: SSO Support & Headless Deployment Features. Support for Azure AD, Google OAuth, and SAML. Mobile Launch Flow integration. Tampermonkey helper for CI/CD. Bilingual documentation (English & Spanish).
v1.0.6
Fix: remove all remaining GPLv3 references (MIT license only)
v1.0.5
Re-scan: All security issues resolved (env var enforcement, error sanitization, MIT license)
v1.0.4
Security fixes: enforce MOODLE_CRED_PASSWORD, sanitize MCP errors, no hardcoded defaults
v1.0.3
Bundle source code: no git clone needed, all files included
v1.0.2
Remove checkmarks, fix GPLv3 reference in metadata
v1.0.1
MIT license + security & permissions disclosure
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is Moodle Connector?
Moodle REST API client, batch downloader, and MCP server for Claude Code integration. SSO-enabled with support for Azure AD, Google, and SAML. It is an AI Agent Skill for Claude Code / OpenClaw, with 264 downloads so far.
How do I install Moodle Connector?
Run "/install moodle-connector" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Moodle Connector free?
Yes, Moodle Connector is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Moodle Connector support?
Moodle Connector is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Moodle Connector?
It is built and maintained by Jabir Iliyas Suraj-Deen (@jabir-srj); the current version is v2.0.0.
More Skills